AD DS Migration

Hi Chi-LTD

1) yes, you should be able to move the roles, but actually DC 2022 are not supported !

Always verify this matrix before doing a new configuration.

https://docs.microsoft.com/en-us/exchange/plan-and-deploy/supportability-matrix?view=exchserver-2019
 
2) No, upgrading the functional level is not a problem.

Even though i have read 2022 forest function isnt support for exchange 2016..?

The last functional level supported is "Windows Server 2016"

So, Exchange should point to supported domain controllers, other than DC 2022.

2022 domain controllers are incompatible with all Exchange versions.

You need to install at least one 2019 domain controller, before removing all 2012 R2 existing domain controllers.

Based on this document, I do not think there is a forest functional level 2022. It is still at 2016. I upgraded all of my DC's to Windows Server 2019 a while back and there is no 2019 functional level. That is why I checked. 

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

According to this link, you may just want to upgrade your DC's to 2019

https://docs.microsoft.com/en-us/exchange/plan-and-deploy/supportability-matrix?view=exchserver-2019

We have a few of each:

4x 2008 r2, of which one is being replaced.  The other three will stay for now.
2x 2019
1x exchange 2016.

So with 3x 2008 r2, 2x 2019 and one 2022 (was planning on this being the PDC - main role holder) then exchange will function with the other DCs? 

It should be better to set the PDC on one 2019 DC.

It is not a good idea to have only one DC in the last version (2022), and to set important roles on it.

The 2019 servers are in azure. The others are on premise.  The bulk of systems are in prem which is why 2019 haven’t been used as main dcs

As 2022 as domain controller are actually not supported, and that all impacts of this configuration are not known,

I would propose to upgrade another DC on-premises to Windows 2019.

Or, you should downgrade the 2022 DC to 2019.

I agree with Deman,
I will stop one version before for a flawless work environment.

Is it possible to downgrade 2022 to 2019 when a DC?

Yes. Possible.
You can downgrade. I recommend to go to 2016/2019 now.

Any reference guides?   I cannot see any..

Do you mean downgrade Forest Functional level or DC?

Downgrade the 2022 dc to 2019 then move fsmo roles from 2012 r2

The only way to do that would be to rebuild the 2022 server as a 2019 server. If you already have it built. If you have promoted it to a DC, you would need to demote it first. If you have never moved FSMO roles before, it is actually fairly straight forward. Below is the link to the MS document on moving them.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds 

I also created a video tutorial a few years ago on replacing and moving the FSMO roles during an upgrade. It is the same process as moving to a 2019.

https://www.experts-exchange.com/videos/500/Transferring-Active-Directory-FSMO-Roles-to-a-Windows-2012-Domain-Controller.html

Thought as much.  Ideally build a new 2019 server and add as a new DC?

What are the issues with making one of our Azure DCs the fsmo holder?

Based on anything I have read, this is not really recommended unless you have everything in Azure. For one, if you have an Internet issue, you on premise systems may have authentication problems. Especially, if your PDC is in Azure. 


https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain#active-directory-operations-masters

https://social.msdn.microsoft.com/Forums/en-US/7eb67cc3-6fa2-4f81-8df4-aa4c72315c87/every-fsmo-role-in-azure?forum=WindowsAzureAD

Thanks the Info. The old 2012 r2 and new 2022 dc’s are physical. We have another 2012 r2 dc which is virtualised.  Should we have fsmo roles in physical or vm, or no difference?

All of mine are on virtual servers. So I do not see that it matters.